Posted
by
BeauHDon Wednesday September 06, 2017 @09:00AM
from the up-to-date dept.

An anonymous reader writes from a report via Bleeping Computer: An attacker can downgrade components of the Android TrustZone technology -- a secure section of smartphone CPUs -- to older versions that feature known vulnerabilities. The attacker can then use previously published exploit code to attack up-to-date Android OS versions. The research team proved their attack in tests on devices running the ARM TrustZone technology, such as Samsung Galaxy S7, Huawei Mate 9, Google Nexus 5, and Google Nexus 6. They replaced updated versions of the Widevine trustlet with an older version that was vulnerable to CVE-2015-6639, a vulnerability in Android's Qualcomm Secure Execution Environment (QSEE) -- Qualcomm's name for its ARM TrustZone version that runs on Qualcomm chips. This vulnerability allows attackers root level access to the TrustZone OS, which indirectly grants the attack control over the entire phone. The research paper is available here, and one of the researcher's authors explains the attack chain in an interview here.

I realise the above post is flamebait, but I wish these posts would stop using the word Android.The vulnerability in this case has nothing to do with Android.

It's an exploit targeting ARM hardware/firmware - nothing to do with Android.When you exploit the hardware of a platform, it doesn't matter what OS the platform is running - it is no longer secure.The same would be true of iOS or any other OS running on this Qualcom chipset.

It's just a happenstance that most open devices run Android.if iOS was allowed to be run on third party hardware, many of these same exploits would apply.

So you think the point is to use the vulnerabilities to root a phone that you had to root in order to install the vulnerability?

Suggest you read the linked interview: "A successful exploit first needs to have the root privilege of the device (e.g., exploit another vulnerability), and then use this issue combined with other vulnerabilities to exploit the device," said the researcher."

Except downgrading the Trustzone will survive a reinstall of the ROM / Factory Reset.

So you could have root on an older version of Android, downgrade the trustzone firmware, upgrade Android to a more secure version, then use the older trustzone firmware to bypass the newer Android version's security. Android can't do shit about it because the firmware runs before it does and as such can thwart any detection, or mitigation attempts Android might make.

Does everything need to be spelled out for you? What is the point of Trustzone if it can be tampered with. Maybe you should go and do some reading on Trustzone technology and its purpose.

Note that this sequence of operations won't work on most phones launched with Marshmallow or later.

Step 2, factory reset, will clear a critical section of the replay-protected memory block (RPMB). That block stores the rollback protection status of Android Keymaster keys (Keymaster is a TrustZone -- or similar -- app that manages important cryptographic keys). Wiping it will make all such keys permanently unusable, cryptographically, and those keys are used to protect the device encryption keys.

So, when you get to step 7 and restore, you'll be restoring data that is encrypted with keys that you cannot recover.

If, however, you can tamper TrustZone in step 4 so that it, say, always generates the same, known, key for disk encryption, then give it to your target and wait for them to put sensitive data on it, then take it back, dump the flash and decrypt, then you can get the user's data. Oh, you'd also need to brute force the user's password, but that's not hard because phone passwords suck, and you could do it off-device.

Alternatively, if you could rewrite the RPMB data between step 6 and 7, you could "reactivate" the keys, but that would require finding a way to read it before step 2.

In step 4 by "Tamper Trustzone" you mean "Load an old version of Trustzone, because there isn't a vulnerability in the verification, only that you can replace a new verified binary with an old verified binary"

Same goes for the trustlet's this article is about, except a device update will overwrite the old trustlets.

From what I understand, this attack besides needing root, only touches the DRM part. Widevine is mentioned. So, I guess that with this attack you'll be able to access stuff that you thought you had bought but had only rented, like movies. You'll just have to downgrade the widevine component to one that has documented vulnerabilities that let you access your data on your device.

I thought commonly used TrustZone firmwares do have revocation/rollback protection but the OEMs doesn't use it when upgrading the OS. E.g. they bundle a new Widevine version in the update but they don't actually revoke old vulnerable ones.

It explains that when the same key pairs are used for new versions, the old ones can still be loaded.The vendors can change they keys with each version, but since it becomes much harder to manager, they don't.

"We have already reported this vulnerability to the affected mobile vendors, and they have integrated patches in their latest updates, as well as fixes for newer device versions," Yue told Bleeping via email.

This theoretically opens a way to Root ANY android phone. That could be Great.

The main dangers to you as a smartphone user are your cellphone network carrier and the manufacturer of your phone. Both both of them have a direct interest in invading your privacy for money or to keep you captive to their machinery.

Fortunately, Android is built on open source foundations, so Google must publish the source and a build chain. Rooting your phone and installing a 3rd party Android build ( such as LineageOS ) goes

Fortunately, Android is built on open source foundations, so Google must publish the source and a build chain.

No, it isn't.

AOSP is open and free. Android is closed and not free.Further, Android being 100% secure won't fix this. This is an issue similar to Intel's fuck up with AMT. AMD uses ARM TrustZone bits in their processors as well. AMD calls it the PSP.

As an end user, the only thing you should trust is the fact that your device is vulnerable and the powers that be know about it (and likely put the vulnerabilities there in the first place). Because fuck you.

You can't load arbitrary TrustZone OS firmware, only old versions of it.

Replacing the trustlet is not zero footprint, it's a file on the filesystem that the OS loads when it boots. You need to root the device to overwrite the file. Re-flashing the OS will undo your exploit. There's nothing stopping anyone from writing an "Exploit detection app" like the Stagefright detection apps, as all they'll need to do is read the version of the trustlets.

"To reproduce the procedure, the steps are as follows:1. Root the device.2. Remount the file system that contains the trustlets (e.g., “mount -o rw,remount/system”).3. Replace the current trustlets with the corresponding (vulnerable) ones from anolder-version image.4. Use the device as normal."